Skip to main content

Setting Up Permissions for AWS Integration

To extract resources from the client side, the RHL ASM Platform requires users to follow the steps below to grant necessary permissions. The platform performs comprehensive and non-comprehensive scans based on the permissions provided.

Steps to Configure Policies for Comprehensive Scans

  1. Open the Roles section in the IAM page of the AWS Console.
  2. Click on Create Role.
  3. Select the AWS Account box.
  4. Choose the Another AWS Account radio button.
  5. Enter the following 12-digit Account ID of the RHL ASM Platform:
    585008039755
  6. Check the Require external ID checkbox.
  7. Copy the External ID from the RHL ASM Platform portal and paste it into the External ID field.
  8. Click Next.
  9. Under Permission Policies, search for and select:
    • ReadOnlyAccess
    • SecurityAudit
  10. Click Next.
  11. Provide a role name (e.g., rhl-asm-role).
  12. Click Create Role.
  13. Go to the newly created role in the Roles section.
  14. Copy the ARN from the top summary section
    (Format: arn:aws:iam::XXXXXXXXXXXX:role/rhl-asm-role)
  15. Provide the ARN Value in the platform portal.

Steps to Configure Policies for Non-Comprehensive Scans (Restricted Permissions)

  1. Open the Roles section in the IAM page of the AWS Console.
  2. Click on Create Role.
  3. Select the AWS Account box.
  4. Choose the Another AWS Account radio button.
  5. Enter the following 12-digit Account ID of the RHL ASM Platform:
    585008039755
  6. Check the Require external ID checkbox.
  7. Copy the External ID from the platform portal and paste it into the External ID field.
  8. Click Next.
  9. In the Permission Policies section, click on Create Policy (opens in a new tab).
  10. Switch to the JSON tab.
  11. Paste the following JSON policy. 
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": ["eks:*", "lightsail:*"],
          "Resource": "_"
        },
        {
          "Action": [
            "mediastore:Get_",
            "mediastore:List*",
            "mediastore:Describe*"
          ],
          "Effect": "Allow",
          "Resource": "_",
          "Condition": {
            "Bool": {
              "aws:SecureTransport": "true"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": "ec2:Describe_",
          "Resource": "_"
        },
        {
          "Effect": "Allow",
          "Action": "elasticloadbalancing:Describe_",
          "Resource": "_"
        },
        {
          "Effect": "Allow",
          "Action": [
            "cloudwatch:ListMetrics",
            "cloudwatch:GetMetricStatistics",
            "cloudwatch:Describe_"
          ],
          "Resource": "_"
        },
        {
          "Effect": "Allow",
          "Action": "autoscaling:Describe_",
          "Resource": "_"
        },
        {
          "Effect": "Allow",
          "Action": ["route53:Get_", "route53:List*", "route53:TestDNSAnswer"],
          "Resource": ["*"]
        },
        {
          "Effect": "Allow",
          "Action": [
            "s3:Get*",
            "s3:List*",
            "s3-object-lambda:Get*",
            "s3-object-lambda:List*"
          ],
          "Resource": "_"
        },
        {
          "Effect": "Allow",
          "Action": ["apigateway:_"],
          "Resource": "arn:aws:apigateway:_::/_"
        },
        {
          "Effect": "Allow",
          "Action": [
            "acm:ListCertificates",
            "cloudfront:DescribeFunction",
            "cloudfront:Get*",
            "cloudfront:List*",
            "iam:ListServerCertificates",
            "route53:List*",
            "waf:ListWebACLs",
            "waf:GetWebACL",
            "wafv2:ListWebACLs",
            "wafv2:GetWebACL"
          ],
          "Resource": "_"
        },
        {
          "Effect": "Allow",
          "Action": "elasticloadbalancing:Describe_",
          "Resource": "_"
        },
        {
          "Effect": "Allow",
          "Action": [
            "ec2:DescribeInstances",
            "ec2:DescribeClassicLinkInstances",
            "ec2:DescribeSecurityGroups"
          ],
          "Resource": "_"
        },
        {
          "Effect": "Allow",
          "Action": "arc-zonal-shift:GetManagedResource",
          "Resource": "arn:aws:elasticloadbalancing:_:_:loadbalancer/_"
        },
        {
          "Effect": "Allow",
          "Action": [
            "arc-zonal-shift:ListManagedResources",
            "arc-zonal-shift:ListZonalShifts"
          ],
          "Resource": "_"
        },
        {
          "Sid": "AllowAPIs",
          "Effect": "Allow",
          "Action": [
            "acm:ListCertificates",
            "autoscaling:DescribeAccountLimits",
            "autoscaling:DescribeAutoScalingGroups",
            "autoscaling:DescribeAutoScalingInstances",
            "autoscaling:DescribeLaunchConfigurations",
            "autoscaling:DescribePolicies",
            "autoscaling:DescribeLoadBalancers",
            "autoscaling:DescribeNotificationConfigurations",
            "autoscaling:DescribeScalingActivities",
            "autoscaling:DescribeScheduledActions",
            "cloudformation:DescribeStackResource",
            "cloudformation:DescribeStackResources",
            "cloudformation:DescribeStacks",
            "cloudformation:GetTemplate",
            "cloudformation:ListStackResources",
            "cloudformation:ListStacks",
            "cloudformation:ValidateTemplate",
            "cloudtrail:LookupEvents",
            "cloudwatch:DescribeAlarms",
            "cloudwatch:GetMetricStatistics",
            "cloudwatch:ListMetrics",
            "ec2:DescribeAccountAttributes",
            "ec2:DescribeAddresses",
            "ec2:DescribeImages",
            "ec2:DescribeInstanceAttribute",
            "ec2:DescribeInstances",
            "ec2:DescribeInstanceStatus",
            "ec2:DescribeKeyPairs",
            "ec2:DescribeLaunchTemplateVersions",
            "ec2:DescribeLaunchTemplates",
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeSnapshots",
            "ec2:DescribeSpotInstanceRequests",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeSubnets",
            "ec2:DescribeVpcs",
            "elasticbeanstalk:Check*",
            "elasticbeanstalk:Describe*",
            "elasticbeanstalk:List*",
            "elasticbeanstalk:RequestEnvironmentInfo",
            "elasticbeanstalk:RetrieveEnvironmentInfo",
            "elasticloadbalancing:DescribeInstanceHealth",
            "elasticloadbalancing:DescribeLoadBalancers",
            "elasticloadbalancing:DescribeSSLPolicies",
            "elasticloadbalancing:DescribeTargetGroups",
            "elasticloadbalancing:DescribeTargetHealth",
            "iam:GetRole",
            "iam:ListAttachedRolePolicies",
            "iam:ListInstanceProfiles",
            "iam:ListRolePolicies",
            "iam:ListRoles",
            "iam:ListServerCertificates",
            "rds:DescribeDBEngineVersions",
            "rds:DescribeDBInstances",
            "rds:DescribeOrderableDBInstanceOptions",
            "rds:DescribeDBSnapshots",
            "s3:ListAllMyBuckets",
            "sns:ListSubscriptionsByTopic",
            "sns:ListTopics",
            "sqs:ListQueues"
          ],
          "Resource": "_"
        },
        {
          "Sid": "AllowS3",
          "Effect": "Allow",
          "Action": [
            "s3:GetObject",
            "s3:GetObjectAcl",
            "s3:GetObjectVersion",
            "s3:GetObjectVersionAcl",
            "s3:GetBucketLocation",
            "s3:GetBucketPolicy",
            "s3:ListBucket"
          ],
          "Resource": "arn:aws:s3:::elasticbeanstalk-_"
        }
      ]
    }
  12. Click Next.
  13. Enter a name for the policy (e.g., rhl-asm-policy) and create the policy.
  14. Return to the previous tab where you were creating the role.
  15. Click the Refresh button next to the "Create Policy" button.
  16. Select your newly created policy by checking the box.
  17. Click Next.
  18. Provide a role name (e.g., rhl-asm-role).
  19. Click Create Role.
  20. Go to the newly created role in the Roles section.
  21. Copy the ARN from the summary section (Format: arn:aws:iam::XXXXXXXXXXXX:role/rhl-asm-role)
  22. Provide the ARN Value in the platform portal.